Description
IIS 4.0 allows local users to bypass the "User cannot change password" policy for Windows NT by directly calling .htr password changing programs in the /iisadmpwd directory, including (1) aexp2.htr, (2) aexp2b.htr, (3) aexp3.htr , or (4) aexp4.htr.
Products
- Microsoft Windows NT 4.0 Server
- Microsoft Windows 4.0 gold server
- Microsoft Windows 4.0 sp1 server
- Microsoft Windows 4.0 sp2 server
- Microsoft Windows 4.0 sp3 server
- Microsoft Windows 4.0 sp4 server
- Microsoft Windows 4.0 sp5 server
- Microsoft Windows 4.0 sp6 server
- Microsoft Windows 4.0 sp6a server
- Microsoft Windows NT 4.0 Server Post Service Pack 6a Security Rollup
Questions to Ask Vendors
- Can you confirm whether your systems are affected by CVE-2002-0421, and if so, what steps are you currently taking to mitigate this vulnerability?
- What is your estimated timeline for fully resolving CVE-2002-0421 in your products or services, and how will you communicate updates on this issue to us as your customer?
Recommended Actions
- Check out the advisory links provided below.
References